Anthropic's 'Project Glasswing'

A software bug in one widely used library can spread like a cracked part in millions of cars, because the same code gets reused across cloud services, phones, browsers, and banks. Anthropic says it is trying to find those weak spots before attackers do by putting a new model into a tightly controlled security program called Project Glasswing. (anthropic.com) Anthropic published Project Glasswing this week and named 12 launch partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. Anthropic says the target is “the world’s most critical software,” not consumer chatbots or general office work. (anthropic.com) The model inside the program is called Claude Mythos Preview, and Anthropic is not releasing it broadly. Anthropic says the model is meant for defensive security work because it can read large codebases, find vulnerabilities, and show whether a flaw is actually exploitable. (anthropic.com) (aws.amazon.com) That last step matters because a vulnerability report is often just a suspicion until someone proves it can be turned into a break-in. Amazon Web Services says Mythos Preview can “demonstrate exploitability,” which means partners are testing for bugs that can be used in the real world, not just theoretical mistakes in code. (aws.amazon.com) Anthropic says more than 40 additional organizations that build or maintain critical software infrastructure also got access beyond the 12 launch partners. The company says those groups can scan both their own software and open-source software, which is the shared code base much of the internet quietly runs on. (anthropic.com) Anthropic is also putting money behind it: up to $100 million in usage credits for Glasswing participants and $4 million for open-source security work. That structure tells you this is not just a press alliance between rivals; it is a funded effort to get the model pointed at code that many companies depend on at once. (anthropic.com) The unusual part is who showed up together. Apple, Google, Microsoft, and Amazon Web Services usually compete at the platform level, but software supply-chain attacks do not care whose logo is on the server, because one compromised package can jump across companies that all rely on the same component. (anthropic.com) (infosecurity-magazine.com) Anthropic says Mythos Preview has already found thousands of major vulnerabilities, including flaws in major operating systems and web browsers, but the company is keeping details limited while fixes are developed. NBC News reported Anthropic is withholding broad release because the same capabilities that help defenders could also help attackers if the model were opened too quickly. (forbes.com) (nbcnews.com) This lands in a security world already shaped by open-source incidents like Log4Shell in 2021 and the XZ Utils backdoor scare in 2024, where a problem in one shared component created risk far beyond the original project. Project Glasswing is built around the idea that if one model can inspect huge amounts of code faster than human teams, the first place to use it is the software everyone else builds on. (cisa.gov) (openwall.com) (anthropic.com) So the story is not just that Anthropic has a stronger model. It is that some of the companies running the clouds, devices, networks, chips, and security tools underneath daily life are testing whether one locked-down model can act like a tireless bug hunter across shared infrastructure before criminals get the same advantage. (anthropic.com) (aws.amazon.com)